Login/Register
How can I connect to a VPN in docker not using VPN images?
Asked Answered
Solved dockercontainersvpn
D

1

10

Good morning!

Im using check point mobile to connect to my client VPN, and I have 2 containers in docker: mysql and karaf both sharing the network I created using the command docker network create --subnet=vpnAddress mynet

I used the command --network=mynet when running the containers.

Until here its all ok, I can connect via putty ssh to karaf, install the kar and all bundles are ok.

But when calling the services I realize that the container is not connected to the VPN, even so that I created a network with the VPN address. I need to be connected to the VPN in order to call the services.

Im connected externally(outside docker) to the VPN using the check point mobile, but I need docker to add/connect to the VPN.

Im using windows 10 (using docker with linux containers), I tried to go to C:\ProgramData\DockerDesktop\tmp-d4w and edit the file host.docker.internal too and change the IP to my VPN address, but none works.

I searched a lot, and I saw people talking about docker vpn images such as nordVpn or openVpn, but I cant use that.

I have been told I need to add the vpn network to docker, But im green at networking and I dont know how to do it, and what I did didn't work.

Hope you can help me. thanks!

edit: in docker engine i added the "bip": "vpnAddress/24" I realize now that network bridge uses the VPN address now, tried to --network=bridge in both karaf and mysql container, but now karaf cant connect to mysql, but if I use the default docker create network mynet and run the 2 container using that network it works, but no luck with the VPN this way.

Dapplegray answered 5/8, 2020 at 9:23 Comment(4)
You should declare VPN port when you running a container with -p flag.Odericus
@Odericus I just tried that. did a netstat -a and saw the ipv4 address from the vpn connection, I added 2 ports to karaf container, the one that says "Listening" and the one who says "established". even so, no luck :(Dapplegray
Using a VPN container really isn't a option? It's very easy and secure to use one VPN container and share network with the container you need (otherwise you'd need to set NET_ADMIN capabilities to your container). You're probably connected in the VPN on your Windows, but Docker is probably running in a VM over Hyper-V, so it's not inheriting the default gateway from your Windows setupFelty
@GustavoKawamoto I would like to, but I dont have the certificate, and was told I could do it without it.Dapplegray
B
10

I haven't used Docker on Windows, but a quick look at some VPN containers shows that, in *nix at least, they use --device /dev/net/tun --cap-add=NET_ADMIN to expose the VPN "device" to the container. Other containers then use docker networking or links to connect to this VPN container - so looking at how the VPN containers do it might be helpful.

One suggestion for Mac seems to be using extra_hosts like so:

extra_hosts:
  - "vpn.company.com:172.21.1.1"

You might be able to hack it with something like that. (or physically adding 172.21.1.1 vpn.company.com to /etc/hosts in the container). Also, checking for IP address conflicts between the Docker daemon and your host machine.

Windows docs seem to suggest they don't support network interfaces as "devices", so you probably need to either create a very specific docker network or modify host networking settings, starting with getting Docker daemon to recognize the VPN network.

See the Configure Advanced Networking section for some examples. I'd try creating a network associated with the VPN device first, then look into flags like --subnet and --gateway.

docker network create -d transparent \
    -o com.docker.network.windowsshim.interface="Ethernet 2" TransparentNet2

This creates a network with a particular subnet and gateway, then runs a container with a statically-assigned IP on that network.

C:\> docker network create -d transparent \
    --subnet=10.123.174.0/23 \
    --gateway=10.123.174.1 MyTransparentNet

C:\> docker run -it --network=MyTransparentNet \
    --ip=10.123.174.105 windowsservercore cmd

Good luck!

Boston answered 14/8, 2020 at 13:27 Comment(3)
Thanks for the answer! I really apreciate it! Im going to try what you told me right now.Dapplegray
I tried both options you game me. 1- adding the ip in etc/hosts inside de container. It didn't work. 2- creating a network, but It game the message: "Error response from daemon: plugin "transparent" not found." I did some search, all I found was that transparent is used only in windows containers, but not sure about that info. Or maybe I explained myself bad and you thought I was using windows containers, if so, sorry about that. Im using docker on windows 10, but im using docker linux containers. Is there any way around? or a similar command? thanks!Dapplegray
I was finally able to do it :) It was basically as you said, I created a network associated with the VPN and used the --network command to give the container that network to use. I did a ping in container to the VPN and it was OK. the problem I was having too, is that using VPN I needed to pass another IP so I could call the services. adding in etc/hosts didnt do it because when restarting karaf the ip is removed from there. So after searching more I realised I had to add: --add-host=example:ip when running the container. Worked as expected after that! thanks!Dapplegray

© 2022 - 2024 — McMap. All rights reserved.